Check out our E-Book on Metaverse and Smart Contracts: Challenges and Key Considerations

Navigating India’s Data Protection Regime in 2025: Compliance Roadmap for Businesses

Author: Gaurav Shanker, Managing Partner And Yamini Mishra, Associate |

Article by Business Law Chamber

With the dawn of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), Indian businesses now face a decisive shift in how personal data must be collected, processed, stored and protected. As the Central Government advances the rule-making process under the DPDP Act, and parallel sectoral regulators like the Reserve Bank of India (RBI) tighten data localisation requirements, the compliance burden on businesses in India has increased significantly. The year 2025 is likely to be a watershed moment in India’s data privacy regime. The Draft Rules framed under the DPDP Act, issued in January this year, provide businesses with operational guidance and compliance checkpoints. This article aims to unpack the key compliance obligations Indian companies must be mindful of, the risks of non-compliance, and the practical steps to prepare for the new regulatory landscape.

The year 2025 is likely to be a watershed moment in India’s data privacy regime. The Draft Rules framed under the DPDP Act, issued in January this year, provide businesses with operational guidance and compliance checkpoints. This article aims to unpack the key compliance obligations Indian companies must be mindful of, the risks of non-compliance, and the practical steps to prepare for the new regulatory landscape.

The Evolving Legal Framework

The DPDP Act, which received Presidential assent in August 2023, is India’s first dedicated law on personal data protection. While, the Act sets out the broad framework of rights and obligations, the detailed operational requirements were released through the draft Digital Personal Data Protection Rules in January 2025 (“Draft Rules”). These Draft Rules, which were closed for public consultation in February, provide granular guidance on consent mechanisms, notice formats, grievance redressal, data breach notifications and cross-border transfers.

Crucially, the DPDP framework is designed to be principle-based and accountability-driven. It imposes compliance obligations not only on data fiduciaries, i.e., entities that determine the purpose and means of data processing, but also on processors and vendors who operate on behalf of fiduciaries. This imposes a heightened duty of care throughout the data lifecycle, from collection to disposal.

Consent, Purpose Limitation and Transparency

One of the core requirements under the DPDP Act is obtaining valid and informed consent from individuals (“Data Principals”) before collecting their personal data. The Draft Rules further mandate that consent be free, specific, informed, and unambiguous. Bundled consents or pre-ticked checkboxes are considered non-compliant.

Equally important is the notice requirement, which mandates fiduciaries to provide individuals with a clear, concise, and accessible description of what data is being collected, for what purpose, how long it will be retained, and how it will be processed. Notices must be made available in English and optionally in one of the languages specified in the Eighth Schedule to the Constitution.

Indian companies must accordingly revisit their privacy policies and onboarding processes to ensure that consent is captured in a verifiable manner and that privacy notices are tailored to the business's actual data practices. The principle of purpose limitation must be embedded into the system design; data collected for one purpose cannot be repurposed without fresh consent.

Rights of Data Principals and Grievance Redressal

The DPDP regime grants individuals several rights, including the right to access their data, seek correction or erasure and restrict or object to processing. There is also a right to nominate another individual to exercise these rights in the event of death or incapacity.

Data fiduciaries are required to establish robust grievance redressal mechanisms and provide contact details of the grievance officer and the data protection officer (if applicable) in the privacy notice. Timely and transparent handling of grievances will not only be a compliance requirement but also a reputational imperative.

These rights place an operational obligation, especially for those with high user volumes. Companies must therefore invest in automated workflows and team training to ensure timely acknowledgment and resolution of Data Principal’s requests.

Security Measures and Breach Notifications

The DPDP framework requires businesses to implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. This includes data encryption, access control, employee training, and vendor due diligence.

In the event of a personal data breach, companies are under an obligation to notify the Data Protection Board of India as well as affected individuals without undue delay. While, the Act does not prescribe a fixed timeline, companies may consider adopting an internal 72-hour reporting standard in alignment with global frameworks such as the European Union’s General Data Protection Regulation (EU GDPR), 2016. The notification must include the nature of the breach, data impacted, steps taken, and preventive measures adopted.

Failure to comply with breach notification requirements may attract significant penalties. Therefore, breach response plans and drills should form part of regular compliance exercises.

Data Minimisation, Retention and Deletion

The principle of data minimisation requires that only such personal data as is necessary for the specified purpose be collected. The retention principle, similarly, requires that personal data be retained only for as long as necessary and then deleted securely.

To comply, Indian companies must implement structured data retention policies. This includes: maintaining a data inventory, categorising data sets, assigning retention timelines, and setting up mechanisms for automatic deletion or anonymisation.

The challenge lies not only in technical execution but in ensuring that the business rationale for retention aligns with declared purposes in the privacy policy and consent forms.

Significant Data Fiduciaries and Additional Obligations

The DPDP Act empowers the government to designate certain entities as Significant Data Fiduciaries (“SDFs”) based on factors like volume and sensitivity of data processed, risk to individuals, and impact on critical infrastructure. Although the final criteria are yet to be notified, companies operating at scale, especially in finance, health, or ed-tech, must be prepared for enhanced compliance obligations.

SDFs will be required to conduct Data Protection Impact Assessments (“DPIAs”), maintain periodic audits, appoint resident data protection officers, and ensure algorithmic transparency for automated decisionmaking.

Companies expecting to be classified as SDFs must initiate these processes proactively and ensure alignment with international standards like ISO 27701 and National Institute of Standards and Technology privacy frameworks.

Cross-Border Data Transfers and RBI Requirements

While, the DPDP Act does not impose a general restriction on cross-border data transfers, it empowers the Central Government to notify countries or territories to which transfers may be restricted, subject to future exemptions or conditions. This introduces an additional layer of regulatory control, which may evolve into more granular sector-specific mandates.

Separately, entities in the financial sector must continue to comply with data localisation norms set by the Reserve Bank of India (RBI). As per the RBI’s April 2018 Circular, all payment system operators must store payment data, including transaction details and customer identifiers, exclusively in India. While limited processing outside India may be permitted for functions such as fraud detection or dispute resolution, the RBI requires that a complete copy of the payment data be stored in India and remain accessible to Indian regulators.

These requirements demand strong vendor governance and cross-functional alignment between legal, IT and operations teams.

Compliances under the IT Act and Other Laws

While, the DPDP Act is poised to become the primary legislation governing personal data in India, several existing legal frameworks continue to impose parallel obligations that businesses must account for. Key among these are the rules and directions issued under the Information Technology Act, 2000.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, framed under Section 43A of the IT Act, require body corporates that handle sensitive personal data to publish privacy policies, obtain informed consent prior to collection, and implement documented security safeguards. These obligations remain applicable until explicitly repealed or harmonised under the DPDP regime.

In addition, the Ministry of Electronics and Information Technology (MeitY) Indian Computer Emergency Response Team (CERT-In) issued directions in April 2022 which mandate that entities report cybersecurity incidents involving personal data, such as unauthorised access, identity theft, and data breaches, within six hours of detection. The Directions also require companies to retain system logs for a period of 180 days and furnish them to CERT-In upon request.

Further, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, impose data governance and user safety obligations on intermediaries, including timelines for takedown of unlawful content, appointment of grievance and compliance officers, and protocols for processing user complaints, many of which relate to privacy and personal information management.

These frameworks remain relevant from a compliance and diligence standpoint. Companies are expected to maintain updated documentation, privacy policies, vendor and employee safeguards, and ensure alignment with applicable sectoral laws.

Conclusion

For Indian businesses, 2025 marks a pivotal moment to institutionalise data protection as a core organisational function. The DPDP framework is not limited to box-ticking compliance; it reflects a broader regulatory shift towards accountability, transparency and user-centric governance.

Organisations that take early action, by establishing robust data governance structures, appointing privacy professionals and embedding privacy awareness across teams, will be better positioned to mitigate enforcement risk and foster long-term stakeholder trust.

Data privacy is no longer a peripheral IT or legal issue; it has become a board-level priority and a key marker of institutional credibility in the digital economy.